title: Mshta (T1218.005)
id: df00tech-t1218-005
status: experimental
description: "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. Mshta.exe executes Microsoft HTML Applications (HTA) files outside of the Internet Explorer browser security context, bypassing browser security settings and application control solutions. HTA files can be loaded locally, from remote URLs (mshta http://server/payload.hta), or as inline scripts (mshta vbscript:...). This technique is widely used by nation-state APTs including FIN7, Lazarus Group, APT29, APT32, MuddyWater, Kimsuky, Sidewinder, Gamaredon, and many others, making it one of the most commonly abused LOLBins for initial access and execution."
references:
  - https://attack.mitre.org/techniques/T1218/005/
  - https://df00tech.com/detections/T1218.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legacy enterprise applications that use HTA files for management interfaces or configuration wizards
  - "Some older IT management tools (HP, Dell BIOS update utilities) that use HTA for their installation UI"
  - Legitimate corporate HTA-based tools deployed by IT for specific administrative tasks
  - Software vendors whose legacy applications use HTA for splash screens or update notifications
level: high